According to FINRA, Osaic Wealth, Inc., formerly known as Royal Alliance Associates, Inc. (CRD #23131), based in Jersey City, New Jersey, was fined $150,000 on March 14, 2024, for failing to establish a supervisory system reasonably designed to safeguard customer records and information in compliance with the Safeguards Rule.FINRA found that Osaic Wealth failed to implement adequate cybersecurity protections across its branch office network. The firm allowed individual branch offices to develop their own security controls without firm-level oversight or standardization. This decentralized approach created significant vulnerabilities, as individual branches may lack the expertise, resources, or awareness needed to implement effective cybersecurity measures.Among the specific deficiencies identified, the firm did not require multi-factor authentication (MFA) for accessing systems containing customer information until March 2023. MFA is widely regarded as one of the most basic and effective cybersecurity measures available, adding a critical second layer of protection beyond passwords alone. The firm also failed to require email encryption, leaving sensitive customer communications vulnerable to interception. Additionally, the firm did not maintain email access logs, which are essential for detecting unauthorized access to customer accounts and investigating potential breaches.As a direct consequence of these cybersecurity failures, the firm experienced numerous cyber intrusions. These intrusions potentially exposed sensitive customer information, including personal and financial data, to unauthorized parties. The Safeguards Rule, derived from SEC Regulation S-P, requires broker-dealers to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.The $150,000 fine reflects the seriousness of the firm's failure to protect customer data. In an era of increasingly sophisticated cyber threats, firms have a heightened obligation to implement robust security measures and to ensure consistent application of those measures across all offices and platforms.This case carries important lessons for investors. Customers entrust broker-dealers with highly sensitive personal and financial information, and they have a right to expect that this information will be protected with reasonable security measures. Investors should ask their financial firms about the security measures in place to protect their data, including whether MFA is required and whether communications are encrypted. If investors receive notifications of data breaches from their financial firms, they should take immediate steps to monitor their accounts and credit reports for signs of unauthorized activity. Cybersecurity is no longer optional in the financial services industry — it is a regulatory obligation and a fundamental component of investor protection. (FINRA Case #2021071722201)